If NAT were not used on gate2 -- and it is probably not necessary -- you would have a standard dual firewall with a DMZ subnet (10.0.1). If so, you merely need to add routing table entries for the internal protected network (192.168) to gate1 and to your servers in the DMZ. e.g.:

#route add 192.168.4/24 10.0.1.20

Because you are using NAT in gate2, all packets originating on 192.168.4/24 are translated to 10.0.1.20. This eliminates the need to route to the 192.168 subnet from systems on the 10.0.1 DMZ. In theory. But without further diagnostics of the environment (ping, tcpdump, fw ruleset, etc.) there's no way to know the source of your configuration problem.

I have already tried your hint... an it's work well.
Traffic from 192.168.4/24 is routed by gate1 (10.0.1.1). It's work fine but I would try to find different solution, where traffic from two subnet are completely separate. It's just for a security doubt (I guess, double nat = double security ...or perhaps is it only my figment?).
I think is not a config problem, but a networking concept that I lack.

I would try to find a solution where traffic from 192.168.4/24 is traslated,
and clients from that subnet should access to web and to my internal webserver too.

Assuming that clients have not route for 192.168.4/24 net, I try to access webserver trough public ip.
(webserver have a public ip NATted (88.99.100.5) for make it accessible from web)
I can ping but not browsing... dont know wheres my mistake... but I going to think that I cant do it.

You need to do the NAT for the web server on the incoming interfaces of both firewalls (in relation to the web server).

IOW, you need a NAT rule on gate1 (em1) that translates between the 88.99.100.x address and the 10.0.1.5 address for the web server. This handles all the traffic to/from the Internet.

Then you need a NAT rule on gate2 (bce1) that translates between the 88.99.100.x address and the 10.0.1.5 address for the web server. This handles all the traffic to/from the local network.

Better still is to implement proper split DNS, such that DNS requests from the Internet resolve to the 88.99.100.x address, and DNS requests from the local network resolve to a 192.168.4.x address (which is an alias on gate2 with 1-1 NAT for the web server).

Alternatively, if these are located in the same building, you can consolidate the two gateX boxes into a single firewall with three NICs: 1 connected to the Internet, 1 connected to the DMZ, 1 connected to the local LAN. Then you just write all your rules on a single box. Just be sure to write very specific rules, including the interface and direction (in recv em0 not via em0, for example).